This document describes the security properties of the MongrelDB Go client and how to report vulnerabilities.
The MongrelDB Go client is a pure-Go library (no cgo) that talks to
mongreldb-server over HTTP using the standard library net/http. The
client itself holds no encryption keys and stores no data at rest; it is a
thin request/response layer over the daemon.
- The client communicates with
mongreldb-serverover plain HTTP. The daemon binds to127.0.0.1by default — traffic stays on the loopback interface. For remote or multi-tenant deployments, terminate TLS in a reverse proxy (nginx, Caddy) in front of the daemon. - The client supports Bearer token and HTTP Basic auth, matching the
daemon's
--auth-tokenand--auth-usersmodes. Credentials are sent only in theAuthorizationheader and are never logged by the client. - The native Condition API and query builder accept typed parameters (column IDs, typed values) — no string interpolation, no SQL injection surface. User-supplied values are serialized as typed JSON, not concatenated into queries.
- WARNING — raw SQL: The
sql()method sends a raw SQL string to the server. It does NOT parameterize or sanitize input, and the client never interprets SQL locally. Never interpolate untrusted user input into SQL statements — use parameterized queries where the server supports them, or validate/escape input yourself. (The native condition API and query builder remain type-safe and are not affected.) - Idempotency keys are caller-supplied opaque strings; the client does not derive or store them.
- The transport is pluggable: bring your own
*http.Client, or set a per-request timeout.
The client is a consumer of mongreldb-server. The daemon's security
posture:
- Binds to
127.0.0.1only — not accessible from other machines. - No authentication by default — any local process can query, write, or
delete data. Enable
--auth-tokenor--auth-usersfor any shared host. - No TLS — traffic is plaintext on the loopback interface.
- No rate limiting or request size caps.
For remote access or multi-tenant environments, place a reverse proxy (nginx, Caddy) in front with TLS termination and authentication. Do not expose the daemon directly to a network.
- The query builder produces typed JSON requests. Invalid column IDs, value encodings, and numeric ranges are rejected before any request is sent.
- Server and network errors are mapped to the typed error hierarchy
(
ErrAuth,ErrNotFound,ErrConflict,ErrQuery) plus a*ResponseErrorcarrying the status code and decoded server envelope, not leaked as generic errors.
The MongrelDB Go client has no runtime dependencies beyond the Go standard library. Report dependency vulnerabilities through GitHub's Dependabot alerts or the private vulnerability reporting flow below.
Do not file a public GitHub issue, discussion, or pull request for security problems. Report privately through GitHub's private vulnerability reporting:
- Go to the repository's Security tab.
- Click Report a vulnerability.
- Fill in the advisory form with the details below.
This keeps the report confidential between you and the maintainers until a fix is ready. Please include as much as you can:
- a description of the issue and its impact,
- step-by-step reproduction steps,
- the MongrelDB Go client version, Go version, and OS,
- the
mongreldb-serverversion if relevant, - the relevant configuration, error output, or a proof-of-concept,
- a suggested fix or mitigation, if you have one.
- Acknowledgement of your report within a few days.
- An initial assessment and, where confirmed, a remediation plan.
- Progress updates through the private advisory thread until the issue is resolved.
- Credit for your responsible disclosure in the advisory, unless you prefer to remain anonymous.
We ask that you give us a reasonable opportunity to ship a fix before any public disclosure.